Trojan Horses and Viruses

Trojan Horses and Viruses

Copyright(c) Management Analytics, 1995 - All Rights Reserved

Copyright(c), 1990, 1995 Dr. Frederick B. Cohen - All Rights Reserved

Problem:

Trojan horses in the search path are very easy to implement in UNIX, primarily because of the search mechanism used to find an executable program. Each directory in the path is examined for each program called. If a Trojan horse appears earlier in the path than the desired program, the Trojan horse is run instead of the legitimate program. A programmer can easily design the Trojan horse so that the legitimate program is executed after the Trojan horse, and thus hide the new function from the unsuspecting user.

Prevention:

Trojan horses can be prevented by sound change control (a system which controls the programs entering the environment), but this doesn't work well under UNIX because users tend to make changes and use programs belonging to other users.

Detection:

Trojan horses placed in the path can be detected by integrity shells, which can automatically and transparently prevent running this sort of Trojan horse.

Cure:

Once a Trojan horse in the path is found, it is usually easy to remove by deleting the offending program and (if appropriate) replacing it with a clean copy. You should also try to find the user who placed the Trojan horse (perhaps by looking at the owner of the file). Be careful, it is easy to use a Trojan horse to forge another user's Uid on a second Trojan horse, and thus misdirect the defender.

Problem:

Trojan horses can also be used to spoof terminal login sessions. The attacker need only simulate the normal login sequence (which can be done in a few lines in Sh) and save a copy of the Uid and password in a file.

Prevention:

Spoofing like this can be prevented by providing a `secure' path between the user and the operating system, but no such facility is normally provided with UNIX.

Detection:

To detect spoofing, you can look for terminals without users on them which have processes active. Another common detection method is to look for processes on terminals that haven't had any IO for a long period of time (although this is inappropriate in some environments.

Cure:

Eliminating a spoofing program of this sort involves killing the process currently spoofing a login, identifying the perpetrator, and acting appropriately to prevent further attacks.

Problem:

Viruses can be used to spread an attack throughout a system or network. A virus works by replicating inside programs. Each `infected' program then spreads the virus further. The UNIX protection mechanisms are inadequate for virus defense.

Prevention:

Viruses cannot be completely prevented under UNIX or any other modern operating system except by eliminating sharing, or eliminating programming. This is almost never feasible in a modern UNIX system.

Detection:

Viruses can reliably be detected by using an integrity shell instead of the normal UNIX shell. Integrity shells for UNIX have been in use for several years, and work transparently to the normal user.

Cure:

Viruses are best cured with on-line backups which automate the restoration of corrupted information under an integrity shell. Off-line backups are also effective in many cases, as long as good detection is in place. Without good detection, backups are ineffective against viruses.

Problem:

Trojan horses can often be placed in libraries or other commonly used areas. By placing a Trojan horse in a library, it gets incorporated with legitimate programs compiled by other users.

Prevention:

Publicly accessible common use libraries should not be permitted in most computing environments. A better approach is to use sound change control and have a library administrator who is in charge of examining source code and compiling all information placed in libraries.

Detection:

There is no sound way to detect a Trojan horse in a library file except by examining every instruction in the file.

Cure:

Once detected, libraries can usually be cleaned by replacing all of the corrupt files with legitimate copies. Without good detection, cure is infeasible.